Date: 4 Aug 2004 19:46:02 -0000
From: Mandrake Linux Security Team <[email protected]>
To: [email protected]Subject: MDKSA-2004:079 - Updated libpng packages fix multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libpng
Advisory ID: MDKSA-2004:079
Date: August 4th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Chris Evans discovered numerous vulnerabilities in the libpng graphics
library, including a remotely exploitable stack-based buffer overrun in
the png_handle_tRNS function, dangerous code in png_handle_sBIT, a
possible NULL-pointer crash in png_handle_iCCP (which is also
duplicated in multiple other locations), a theoretical integer overflow
in png_read_png, and integer overflows during progressive reading.
All users are encouraged to upgrade immediately.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599http://www.kb.cert.org/vuls/id/388984http://www.kb.cert.org/vuls/id/236656http://www.kb.cert.org/vuls/id/160448http://www.kb.cert.org/vuls/id/477512http://www.kb.cert.org/vuls/id/286464http://www.kb.cert.org/vuls/id/817368
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
5f2e0ce336d0854b79426e3ee2fc9c1c 10.0/RPMS/libpng3-1.2.5-10.5.100mdk.i586.rpm
a08aee71d41f2fd270e657053ed16a18 10.0/RPMS/libpng3-devel-1.2.5-10.5.100mdk.i586.rpm
997b909be31340ab48a5c8266364d9f1 10.0/RPMS/libpng3-static-devel-1.2.5-10.5.100mdk.i586.rpm
5402d26cab5f03469f22f10e7279a64f 10.0/SRPMS/libpng-1.2.5-10.5.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
7f4dbf94ab247849e8efb3034c6bb046 amd64/10.0/RPMS/lib64png3-1.2.5-10.5.100mdk.amd64.rpm
7f2e23c89e39423b2499798cad32fc13 amd64/10.0/RPMS/lib64png3-devel-1.2.5-10.5.100mdk.amd64.rpm
ac6b7e03e3e816efa8744816d596338f amd64/10.0/RPMS/lib64png3-static-devel-1.2.5-10.5.100mdk.amd64.rpm
5402d26cab5f03469f22f10e7279a64f amd64/10.0/SRPMS/libpng-1.2.5-10.5.100mdk.src.rpm
Corporate Server 2.1:
6cf56378665f973c6b96a487db31f2df corporate/2.1/RPMS/libpng3-1.2.4-3.7.C21mdk.i586.rpm
4dfb84e68f30cc4de1ddf2085ef74ebd corporate/2.1/RPMS/libpng3-devel-1.2.4-3.7.C21mdk.i586.rpm
68adca80324ccf10ecf386466673ff5e corporate/2.1/RPMS/libpng3-static-devel-1.2.4-3.7.C21mdk.i586.rpm
e37d6b112471f9fbd39eee11db336a8e corporate/2.1/SRPMS/libpng-1.2.4-3.7.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
bb2f7ccff93adcf0f466cb4741f09440 x86_64/corporate/2.1/RPMS/libpng3-1.2.4-3.7.C21mdk.x86_64.rpm
22bd27f48fa0fd1e0510c3066ab67325 x86_64/corporate/2.1/RPMS/libpng3-devel-1.2.4-3.7.C21mdk.x86_64.rpm
769bb0aa09bf26b1ff64a9cd5e5a452e x86_64/corporate/2.1/RPMS/libpng3-static-devel-1.2.4-3.7.C21mdk.x86_64.rpm
e37d6b112471f9fbd39eee11db336a8e x86_64/corporate/2.1/SRPMS/libpng-1.2.4-3.7.C21mdk.src.rpm
Mandrakelinux 9.1:
6fd39e5ee6bc8dc031bf3ea4608b2dcf 9.1/RPMS/libpng3-1.2.5-2.5.91mdk.i586.rpm
e29e3f15812654860e80987ff169ed0a 9.1/RPMS/libpng3-devel-1.2.5-2.5.91mdk.i586.rpm
f8fbbf2d3bd57ffb967a12fa84806793 9.1/RPMS/libpng3-static-devel-1.2.5-2.5.91mdk.i586.rpm
c1f995c1738591bf1436386c19f220f8 9.1/SRPMS/libpng-1.2.5-2.5.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
db141bfa829164296790fc5ecaeca8af ppc/9.1/RPMS/libpng3-1.2.5-2.5.91mdk.ppc.rpm
cf12eb035d71e045bca05a351d2e12b5 ppc/9.1/RPMS/libpng3-devel-1.2.5-2.5.91mdk.ppc.rpm
37ed0b8a240466482f3e3e079397aca3 ppc/9.1/RPMS/libpng3-static-devel-1.2.5-2.5.91mdk.ppc.rpm
c1f995c1738591bf1436386c19f220f8 ppc/9.1/SRPMS/libpng-1.2.5-2.5.91mdk.src.rpm
Mandrakelinux 9.2:
73dcbcff5ec15f8d0c683e85357ba292 9.2/RPMS/libpng3-1.2.5-7.5.92mdk.i586.rpm
7d1493bececc9a48b84061b3eae8d92f 9.2/RPMS/libpng3-devel-1.2.5-7.5.92mdk.i586.rpm
32d8f720ff4f9e2dcfd7e07a7f3b221c 9.2/RPMS/libpng3-static-devel-1.2.5-7.5.92mdk.i586.rpm
9ada13b517e9d757874bd235de565fc8 9.2/SRPMS/libpng-1.2.5-7.5.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
ce8a91d600fba2cdcc4cbfa73528f0cd amd64/9.2/RPMS/lib64png3-1.2.5-7.5.92mdk.amd64.rpm
231a4e5d6f11d262bb5bc6b7563ad93f amd64/9.2/RPMS/lib64png3-devel-1.2.5-7.5.92mdk.amd64.rpm
1f63ad149a23fd5f2e9c9007b162235b amd64/9.2/RPMS/lib64png3-static-devel-1.2.5-7.5.92mdk.amd64.rpm
9ada13b517e9d757874bd235de565fc8 amd64/9.2/SRPMS/libpng-1.2.5-7.5.92mdk.src.rpm
Multi Network Firewall 8.2:
f8ec19565a938e22f23e39b444d208a2 mnf8.2/RPMS/libpng3-1.2.4-3.7.M82mdk.i586.rpm
99b28bb4446212b3cf099640a876c44e mnf8.2/SRPMS/libpng-1.2.4-3.7.M82mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBETz6mqjQ0CJFipgRAvFmAKCcUjBy2p3bE5PXyz632vO7913KSgCfQg6n
2U1ygm+s21s2MMZP+5eBG8I=
=zRaM
-----END PGP SIGNATURE-----